Zach Gibbs, Content Developer, Juniper Networks

Configuring Juniper Secure Connect: Security Director

Learning Bytes Security
Zach Gibbs Headshot
Slide showing a topology diagram, with a headline that reads, “Configuring Juniper Secure Connect — Security Director.” A bullet list reads, “Criteria for example: * Use Security Director to configure Juniper Secure Connect; * Use local authentication; * Remote workers: * Need to access Server-1; * Should not be able to access devices in the User zone.”

Learning Byte: Providing remote access to server-1 the easy way.

If you are new to working with Juniper Secure Connect and have a small number of users, then this video demo is for you. Follow along as Juniper’s Zach Gibbs walks you through configuring Juniper Secure Connect using Security Director from start to finish. This is part one in a two-part series. 

Show more

You’ll learn

  • How to use Security Director to give a small business’s remote worker access to server-1

  • The first things you need to do in the configuration process involving security devices

  • How to create the connection from the remote worker’s device through the VPN 

Who is this for?

Network Professionals Security Professionals

Host

Zach Gibbs Headshot
Zach Gibbs
Content Developer, Juniper Networks 

Transcript

0:00 [Music]

0:11 hello

0:12 my name is zach gibbs and i'm a content

0:14 developer within

0:16 education services inside juniper

0:18 networks and today we will be going

0:21 through

0:21 the configuring juniper secure connect

0:24 security director

0:25 part one learning byte okay so here is

0:28 our example in this example i want to

0:31 first talk about the topology

0:33 and here in the topology you can see a

0:36 couple different devices we have

0:38 srx1 which we will be configuring using

0:41 security director and then srx1 is

0:43 connected to the users in the branch

0:46 which is the user's zone and then we

0:48 have server one which is connected into

0:50 srx through the servers

0:52 zone and then we have the internet which

0:54 connects to the srx1

0:56 using the untrusted zone and so what we

0:59 have here is we have a remote worker who

1:01 needs

1:02 access to server 1 and so

1:05 what we want to do is we want to use

1:07 security director to configure

1:09 juniper secure connect and we're going

1:12 to use

1:12 local authentication and that is good

1:16 for a small business where you don't

1:18 have a lot of workers if you have

1:20 hundreds of people who need

1:21 access remote access that is then you'll

1:24 probably want to use something like

1:25 radius authentication where it'll be a

1:28 lot easier to manage all those users

1:30 and so with that being said we have our

1:33 remote worker who needs access to server

1:35 one and this remote worker should not be

1:37 able to access

1:38 hosts that are in the user zone and so

1:40 with that being said let's go ahead and

1:42 jump to security director

1:44 and get this going all right so here is

1:47 security director and we're currently in

1:49 the configure workspace

1:52 and we'll do some work in here but first

1:53 we need to jump to the devices workspace

1:56 so here is srx1 and the first thing we

1:59 need to do

2:00 is we need to create the local

2:02 certificate that we'll be using

2:04 and to do that there's no real easy way

2:07 in security director

2:08 and so we'll need to use the access

2:11 option to

2:12 launch an ssh session to srx1

2:16 and then login

2:20 and here in srx1 we're going to first

2:23 create

2:23 the key pair that we're going to use

2:28 specify a size of 2048 and then a type

2:33 of rsa and then the certificate id we're

2:36 going to use

2:37 is juniper r a

2:41 lb for learning bytes so remote access

2:44 learning byte

2:45 okay great that's created let's go ahead

2:47 and use that key pair to create a

2:49 certificate

2:53 specify a certificate id of that key

2:56 pair

2:57 and then specify a subject we're going

2:59 to say dc

3:01 equals juniper

3:05 cn equals edl then domain

3:08 of edu.juniper.net

3:11 and then we need to specify an ip

3:13 address and this is very important

3:14 because

3:15 this ip address we'll need to reference

3:18 when creating the remote access vpn

3:20 using juniper secure connect

3:22 click enter to create that certificate

3:24 okay so we're good there so we can close

3:26 that

3:27 and that's the only thing we'll need to

3:28 do in the cli today

3:30 and then we need to do some more device

3:32 configuration we'll go to configuration

3:35 modify configuration okay so we need to

3:37 scroll down to the very bottom here and

3:39 we'll see

3:39 system services we'll expand that

3:43 scroll down some more and we see at the

3:45 very bottom https services that's

3:47 currently not turned on we need to

3:49 select allow to turn that on

3:51 and then if we scroll down we can select

3:52 some interface if we don't select any

3:54 interfaces then it's going to be applied

3:56 to all interfaces

3:57 and by default we have system generated

3:59 certificate we want to change that to

4:00 pki

4:01 local certificate and then select the

4:04 certificate that we just created

4:07 we could specify a different port but we

4:09 need to leave that at the default of 443

4:11 and then the next thing we need to

4:12 configure is we need to configure the

4:14 security zone

4:15 the untrust security zone it's already

4:18 configured here but we need to

4:19 edit it and add in some system services

4:24 and if we scroll down we have system

4:26 services

4:28 oh wait a little too far https

4:32 is necessary and then

4:35 tcp encapsulation

4:40 and then ike

4:45 then we can click okay and then we can

4:48 preview changes to

4:50 kind of see what we're doing here and

4:52 you can see here it's pretty

4:52 straightforward we're adding https ike

4:55 and tcp and cap to the untrust

4:57 zone for host inbound traffic and then

5:00 we

5:01 are setting the web management https

5:04 certificate to the juniper ra-lb that

5:07 certificate we just created a few

5:09 moments ago

5:10 so close that and click save and deploy

5:13 and that will just take a second

5:14 after we click ok again to run it and

5:16 great

5:17 that job went through successfully let's

5:19 go ahead and click ok

5:20 now we can jump back to configuration

5:22 mode

5:25 and we're going to need to create a few

5:26 things let's go ahead and start with the

5:29 firewall policy that we'll need

5:30 so let's create a new policy we'll call

5:33 this

5:34 ra fw

5:37 all for short for policy and then we'll

5:39 move s or x1 over

5:43 and then we need to create some firewall

5:45 rules

5:46 for this policy so we'll call this

5:50 from remote

5:54 workers and then the source address

5:57 or the source information is going to be

5:59 vpn it'll be coming into the vpn

6:01 zone and then it'll be going to the

6:04 servers

6:05 zone and here let's go ahead and select

6:08 an address

6:09 we'll select and add the server

6:13 address here and granted that to say

6:16 server one two three it's actually

6:18 server one

6:19 sdip address the server one i meant to

6:21 change that earlier but here we have it

6:23 click ok then we'll select permit

6:27 under advanced security and we could add

6:28 different parameters here such as ips or

6:31 app firewall if we

6:32 wanted to scan this traffic or idp

6:35 threat prevention things like that

6:37 and then let's go ahead and jump to the

6:39 end and finish off this rule

6:43 and then we need to create a rule for

6:46 the server

6:48 so we'll say to

6:51 remote worker

6:54 so source address this will be coming

6:56 from the servers zone

6:58 and we're going to select that server

7:00 address

7:07 and then in the destination information

7:09 we're going to select the

7:11 vpn zone and then of course permit the

7:13 traffic and you could add additional

7:15 security

7:16 checks here if you wanted to of course

7:19 and then

7:20 rule placement let's click finish click

7:23 ok

7:24 and so things look pretty good there

7:25 we'll go ahead and save that

7:27 and we'll publish it but we won't update

7:29 the devices yet because we can do a

7:31 publish

7:32 now and then an update later once we

7:34 have everything else configured that

7:35 we're doing for this learning byte

7:37 and great you can see that went through

7:39 successfully that job no problems there

7:42 so let's go ahead and move on to the net

7:45 configuration

7:46 so we'll go to nap policy policies

7:50 and let's create a new nap policy and

7:52 i'll explain why we're doing this

7:54 because there's a specific reason

7:55 to do this

7:59 give it a name select srx1

8:04 and then let's create a new rule here

8:11 create a source rule and then the source

8:14 ingress information we're going to say

8:17 from zone

8:18 vpn and

8:21 source address we're just going to put

8:24 down any ipv4 address

8:26 so match on everything coming in from

8:28 the vpn zone

8:30 and you could specify more specific

8:32 information here if you would like

8:34 and then destination egress

8:37 we're going to specify the servers zone

8:41 and then we're going to specify

8:43 translation

8:45 of interface so it's going to be the

8:47 source interface

8:50 and what we're doing here let me explain

8:52 the reason behind this so traffic is

8:54 going to be coming in from the

8:55 vpn zone and we haven't done it and

8:58 we'll do this in the next learning byte

9:00 that is the second part of this learning

9:02 byte but

9:04 we will have to assign the remote worker

9:06 a certain ip address

9:08 and the server won't know how to get to

9:10 that ip address or rather it'll think

9:12 it'll need to use the default route to

9:14 get to that ip address

9:16 and so if it does that it'll send the

9:17 traffic to the srx the srx will think it

9:20 needs to use a default route and then

9:21 send the traffic out

9:22 its internet-facing interface without

9:24 putting the traffic in the tunnel

9:26 so we can get around this problem by

9:28 doing a source

9:30 nat on the traffic coming in from the

9:32 vpn going towards

9:34 the server because what happens is we

9:36 are doing

9:37 source net on that interface that is

9:39 pointing towards

9:40 the server one device and so what

9:43 happens

9:44 is that traffic comes in the source net

9:46 changes it to the ip address which in

9:48 this case is 10.60.60.254

9:52 then the server being 10.60.60.100

9:55 knows that it just sends it to the

9:58 10.60.60.254 address

9:59 and when that happens reverse sourcenet

10:02 will take the traffic and then

10:04 change the ap address which then gets it

10:06 into the tunnel and so this allows the

10:07 routing to happen

10:09 as needed and so what we could do

10:12 besides this is we could use some sort

10:14 of static routing

10:15 to put the return traffic back inside

10:17 the tunnel so let's go ahead and publish

10:20 this

10:22 and then we'll move on after that and

10:24 that job is complete so let's go ahead

10:26 and close that window

10:27 and then let's go ahead and go back to

10:30 devices

10:34 and then we'll do an update and we'll

10:36 update those two changes

10:38 for firewall policy and nat to srx1

10:43 and those firewall policies and nap

10:45 policy were successfully pushed to

10:47 srx1

10:53 and so quickly let's look at the

10:54 topology as a reminder we have srx1

10:57 which has three different interfaces we

11:00 have

11:00 the user's zone connection the server's

11:03 zone connection

11:04 and the untrust zone connection and the

11:06 user zone

11:07 houses the users in the branch and the

11:09 server zone houses server one

11:12 and the untrust zone connects to the

11:13 internet and we have the remote worker

11:16 who needs to connect in

11:17 to srx1 into this site and then

11:21 they need to be able to access server

11:23 one now

11:24 with that the remote worker should not

11:26 be able to access

11:27 anything in the user zone but owens

11:30 should be able to access

11:31 server one and so we're using security

11:33 director to configure this

11:35 and we're using local authentication and

11:37 so with that

11:38 let's go ahead and jump to security

11:41 director to finish this learning byte

11:42 series

11:45 okay so here is security director recall

11:47 from the last learning byte

11:49 that we created the local certificate

11:52 we configured the srx1 device to use

11:55 that local certificate and then we

11:57 created some firewall policies as well

11:59 as a source

12:00 nat policy so next let's go to configure

12:03 workspace and then go to ipsec vpn

12:07 ipsec vpns and then create vpn

12:11 route-based vpn and then remote access

12:14 juniper secure connect and here we can

12:17 name the vpn

12:20 then we can give a description that's

12:21 not necessary we have to use the traffic

12:23 selector

12:24 auto route insertion option and we'll

12:26 see how that's configured

12:27 we can specify a vpn profile but using

12:29 the default works well

12:31 and then the method for what we need to

12:33 use is pre-shared key since we're using

12:34 local authentication

12:36 and the pressure key we can either

12:38 define one or we can just auto generate

12:40 it and auto generation is perfectly fine

12:42 for here

12:43 and we can use the generate a unique key

12:46 per tunnel as well and that's set to on

12:48 and then to begin we need to click the

12:50 remote user icon

12:52 and that starts us off with asking us

12:55 which device we want this to be for and

12:57 we just have s or x1 here typically when

12:59 using security directory you'd have a

13:01 lot more than srx1

13:03 but since this is a learning byte that's

13:04 all we need to do

13:06 we click ok there and then we have the

13:08 remote user configuration

13:10 again we are using the default profile

13:12 connection mode is set to manual

13:13 we can have it set to always but manual

13:15 works fine for what we're doing

13:16 ssl vpn we want to leave that on we have

13:19 dead pair detection configured as well

13:21 by default and windows login is

13:23 not selected as well as biometric

13:25 authentication both of those

13:26 can be configured for a remote access

13:28 vpn with juniper secure connect

13:32 we'll click ok then the next thing we

13:34 need to do is select the

13:35 srx1 device to configure the rest of it

13:38 external interface that's going to be

13:40 gigi001 and notice how the 10.111.111.1

13:45 ip address is associated with that

13:47 remember that in the previous learning

13:48 byte we referenced that ip address

13:51 when creating the certificate the tunnel

13:54 zone in our case is going to be vpn now

13:56 i created that zone beforehand and then

13:59 user authentication there's nothing to

14:00 select here so let's go ahead and add

14:02 some user authentication

14:03 and notice here up top this is very

14:05 important says update access profile

14:07 before updating remote

14:08 vpn now when i first tried to do this i

14:11 didn't see that

14:12 and things didn't work out i tried to

14:14 push the configuration and it

14:16 failed and that's because after we

14:18 create the vpn before we send it to the

14:20 device we need to go to the remote

14:21 access configuration

14:23 and update that first so keep that in

14:25 mind that's incredibly important

14:31 i set this to local and of course

14:35 there's nothing

14:35 for address assignment yet so we need to

14:37 create an address pool

14:39 and we'll call this poll r a dash full

14:42 dash

14:42 sd lb and then we need to specify the

14:46 network address

14:47 we'll use that 10.77.77.0

14:50 make that a 24. and then we need to

14:53 specify a

14:55 dns server that the user can use and

14:58 then let's go ahead and specify an

14:59 address range that can be used within

15:01 that pool first we need to call it

15:03 we'll call this ra pull sd

15:06 lb and we'll set the lower limit to

15:09 10.77.77.10 so we're going to start

15:11 handing out

15:12 ips with that address then a high limit

15:14 of 10.77.77.50

15:18 go ahead and click the checkbox and

15:19 click ok and then we need to add a local

15:22 user

15:25 lab lab123 pretty standard for education

15:28 services there

15:29 and then we're done with the address

15:31 assignment

15:32 part and the user authentication now we

15:35 need to

15:36 use an ssl vpn profile there's nothing

15:39 here so we do need to add one

15:42 and we'll call this a cell vpn sd-lb for

15:46 the profile name

15:48 and we need to create an ssl termination

15:51 profile

15:52 and this is something that we're just

15:53 going to name here and the system will

15:55 create the actual profile for us because

15:57 what happens with this profile

15:58 is the termination profile that is is

16:01 that we name it and then we reference

16:03 the certificate then we reference that

16:08 certificate that we created in the

16:10 previous learning byte

16:12 and click ok and we're not quite done

16:14 yet we have to specify a protected

16:16 network

16:17 now here we have an address of server

16:20 123 which is actually server one i meant

16:22 to change that before

16:23 did these learning bytes but that's the

16:25 ip address associated with server one

16:27 and that works great and when we do this

16:29 this automatically

16:30 will create a scenario where split

16:32 tunneling happens meaning

16:34 only traffic to the server is going to

16:35 go through the tunnel for the remote

16:37 worker

16:38 and all other traffic will use the

16:40 remote workers normal internet

16:42 connection

16:43 and that's exactly what we want now if

16:44 we didn't want that we'd have to specify

16:47 an address that is a default

16:50 address so all zeros so 0.0.0

16:53 0 and that would cause all the traffic

16:56 to go through the tunnel

16:57 because we would consider everything to

16:59 be protected networks

17:01 and so that means we would send

17:02 everything through the tunnel now you

17:04 can do that if you want

17:05 but in our case we don't want to do that

17:06 and that's very applicable right now in

17:08 today's world where we have a lot of

17:09 remote workers

17:11 if you're sending all of their traffic

17:12 through the srx device for

17:14 all your remote workers that might

17:16 overwhelm your srx device

17:18 so let's avoid that and just send the

17:20 traffic through the tunnel that we need

17:22 to send

17:23 okay so that almost finishes the

17:25 configuration we need to scroll down

17:27 under ike and ipsec settings and this is

17:30 going to be under ike you need to

17:32 specify an email address and i actually

17:34 changed that keep a live i believe it

17:35 was at 10 so we'll change that back

17:38 and we're going to say lab

17:42 edu.juniper.net

17:43 and that's going to be a part of the ike

17:45 id

17:46 and so we go up here and click save and

17:48 then we'll have one more thing it'll

17:49 prompt us for

17:50 it'll say new profile name what this is

17:52 is this is the dynamic configuration in

17:54 the cli

17:56 and so we'll need to specify the name

17:57 and then we'll need to

17:59 set it to shared as well so we'll set

18:01 this as ri-dine-sd-lb for the name and

18:05 we'll set it to

18:06 shared and we've completed that

18:10 configuration but remember we need to

18:12 jump to the axis configuration before we

18:14 push this vpn configuration to srx1

18:17 so that is going to be under user

18:18 firewall management

18:20 and then access profile and you'll see

18:23 this is that access profile we created

18:25 so we can select that and click update

18:28 and that will push it out to

18:29 srx1 you just select srx1 click

18:32 update confirm it and let's go ahead and

18:35 click on the job

18:36 number and we'll see great that worked

18:38 out 100

18:40 successful state so we're good there so

18:42 let's go ahead and jump back to

18:43 configure

18:45 and then go to ipsec vpn and ipsec vpns

18:50 and then select our remote access

18:52 juniper secure connect vpn

18:55 and click update and we'll click publish

18:58 and

18:58 update confirm it

19:02 all right so that job completed

19:04 successfully that's great

19:05 so let's go ahead and jump to the remote

19:08 worker device

19:08 and see how this works

19:12 okay so here is the remote worker device

19:15 and first i want to show that we

19:16 actually can't

19:17 reach that server server one from

19:20 the remote worker device if we're not

19:22 connected through the vpn and that's

19:23 perfect that's what we want to see if

19:25 this wasn't the case then this would

19:26 mean that anybody on the internet could

19:28 reach it

19:29 so that's great well with that let's go

19:32 ahead and use juniper secure connect

19:33 that i have right here

19:34 and you can see i've already created a

19:36 profile for something else let's create

19:38 a new connection

19:39 and with this notice that it

19:41 auto-populated the gateway address

19:43 now if this was your first time using

19:45 juniper secure connect

19:47 you would need to type this in and so

19:48 we've typed in this information

19:50 and let's click the connection button

19:53 and we're prompted for our user id and

19:55 password

20:00 and then we're presented with a

20:01 certificate warning now why are we

20:03 presented with this well the reason is

20:05 this is the local certificate that we

20:07 create

20:08 this is not going to be a trusted

20:09 certificate by default because

20:11 we created it not a trusted certificate

20:14 authority

20:15 so we can just accept this and you can

20:18 see here i want to show that vip address

20:20 is a part of this certificate that's

20:21 very important

20:22 so let's click accept

20:25 and then the vpn is starting to

20:27 establish

20:30 and the connection is successful great

20:33 and look at the side here we can see

20:35 that the

20:36 communication is occurring like it

20:38 should we can

20:39 reach server 1 using its ip address

20:42 and so perfect that's what we want to

20:44 see now something else i do want to show

20:46 is since we are doing split tunneling

20:48 you can look at the data here you can

20:50 see that we've sent

20:51 some data receive some data there's one

20:53 one three or one one one three

20:55 and one one one three and so what

20:57 happens if we send something to an

20:59 internet

21:01 address like the google dns server

21:05 and notice how that doesn't increment

21:08 those

21:08 we're still at the same numbers that we

21:10 were before and that's perfect that's

21:12 what we want to see

21:17 and it doesn't go through the tunnel

21:18 because we configured it that way

21:20 and so if we were to ping the server

21:22 again you can see

21:24 that the data transmit kilobytes and

21:26 data received

21:27 in kilobytes is incrementing and that's

21:29 perfect that's exactly what we want to

21:31 see

21:33 so that brings us to the end of this

21:34 learning byte in this learning byte we

21:36 demonstrated how to configure and verify

21:38 juniper secure connect using security

21:41 director so as always

21:42 thanks for watching visit the juniper

21:46 education services website

21:48 to learn more about courses view our

21:51 full range of classroom

21:52 online and e-learning courses

21:55 learning paths industry segment and

21:58 technology specific

22:00 training paths juniper networks

22:02 certification program

22:04 the ultimate demonstration of your

22:06 competence and

22:07 the training community from forums to

22:10 social media

22:11 join the discussion

Show more